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Abstract:- The security of vehicular ad hoc networks (VANETs) has been receiving a significant amount of 
attention in the field of wireless mobile networking because VANETs are vulnerable to malicious 
attacks. Asymmetric cryptography schemes are not suitable for highly dynamic environments. Cryptanalysis is 
not verified and protocol is not secure.lt adopts transitive trust relationships to improve the performance of the 
authentication procedure and only needs a few storage spaces. To propose a decentralized trust authentication 
mechanism for cryptanalysis scheme, inside attacks, secure routing protocol. Intend to develop an intrusion 
detection mechanism to enhance the network security. 

Index Terms:- Authentication, decentralized, trust-extended, vehicular ad hoc networks (VANETs). 



I. INTRODUCTION 

Vehicular ad hoc networks (VANETs) have been attracted increasing attention from both industry and 
academia [1]. The major components of a VANET are the wireless on-board unit (OBU), the roadside unit 
(RSU), and the authentication server (AS). OB Us are installed in vehicles to provide wireless communication 
capability, while RSUs are deployed on intersections or hotspots as an infras-tructure to provide information or 
access to the Internet for vehicles within their radio coverage. The AS is responsible for installing the secure 
parameters in the OBU to authenticate the user. Based on IEEE 802. lip, the dedicated short range com- 
munication system [2] supports two kinds of communication environments: vehicle-to-infrastructure (V2I) and 
vehicle-to- vehicle (V2V) communications. 

A number of studies [3] -[5] have focused on the problem of data dissemination in VANETs. However, 
these schemes do not consider the security problem. Recently, the security issue in VANETs has become a hot 
topic, and then many researchers provide the V2I and V2V authentication mechanisms to protect valid users. 
However, the design for an efficient V2V authentication mechanism is more challenge than that for V2I 
authentication mechanism in VANETs because the vehicle cannot be authenticated via the infrastructure directly 
in V2V communications. Therefore, we focus on V2V network environments and propose an efficient 
authentication scheme in this paper. 

To address the above need, we propose a decentralized authentication scheme, called TEAM, for V2V 
communication networks. There exists no centralized authority to perform the authentication procedures of 
vehicles. TEAM is a lightweight authentication scheme because it only uses an XOR operation and a hash 
function. Although TEAM needs low computation cost, it still satisfies the following security requirements: 
anonymity, location privacy, mutual authentication, resistance to stolen -verified attacks, forgery attacks, 
modification at-tacks and replay attacks, as well as no clock synchronization problem, fast error detection, 
perfect forward secrecy, man-in-the-middle attack resistance, and session key agreement. Moreover, our scheme 
only requires a few storage spaces than other schemes because the vehicle does not need to store the 
authentication information (e.g., public key) of the entire vehicle. 

The preliminary version of this paper was published in IEEE CECNET 2011 [10]. In this paper, we 
describe the proposed scheme in detail. We add the adversary model discussion, secure communication, 
password change, key update, and key revocation procedures in this enhanced version. Moreover, we propose 
the analysis of computational and storage costs of TEAM, and then we use the NS-2 network simulator to 
evaluate the performance of TEAM. 

The remainder of this paper is organized as follows. Section II contains a review of related work. In 
Section III, we introduce some preliminaries, and in Section IV, we describe the proposed scheme in detail. 
Analyses of the security and performance are presented in Section V. Then, in Section VI, we summarize our 
conclusions and consider future research avenues. 

II. RELATED WORK 

Raya and Hubaux [6] preloaded each vehicle with a large number of anonymous public and private key 
pairs, as well as the corresponding public key certificates. Each of the public key certificates contains a 
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pseudoidentity. Then, traffic messages are signed with a public key -based scheme, and each pair of public and 
private key has a short lifetime to preserve its privacy. However, this approach works with high computation 
cost, high storage cost, and high communication overhead. Freudiger et al. [7] used the cryptographic MIX-zone 
to enhance the location privacy, and Sampigethava et al. 

[8] provided location privacy by utilizing the group navigation of vehicles. However, these approaches 
[6]-[8] do not work well in highly dynamic environments like VANETs because they use asymmetric 
cryptography or a digital signature veri-fication scheme, which results in high computation costs, long 
authentication latency, and a large storage space. Zhang et al. 

[9] proposed an RSU-aided messages authentication scheme (RAISE), which uses the symmetric key hash 
message au-thentication code, instead of a public key infrastructure -based message signature, to reduce the 
signature cost. However, in RAISE, the key agreement process still executes the exponent operations, which 
leads to a high computation cost. Moreover, the RSU needs to maintain the extra ID-Key table, resulting in more 
storage cost. Hence, there is still a need for an efficient authentication scheme for VANETs with low 
computation and low storage costs. 

III. PRELIMINARIES 

In this section, we introduce the concept of the transitive trust relationships, describe some threat 
models, and consider the security requirements of VANETs. 



A. Transitive Trust Relationships 

In VANETs, vehicles can be classified into to the following roles: a law executor (LE), a mistrustful 
vehicle (MV), and a trustful vehicle (TV) as illustrated in Fig. 1. An LE, such as police car or authorized public 
transportation (e.g., buses), acts like a mobile AS. Moreover, the LE is trustful permanently. A normal vehicle is 
regarded as trustful if it can be authenticated successfully; otherwise, it is deemed to be mistrustful. In addition, 
the TV becomes the MV when the key lifetime is over. To provide a secure communication environment, the 
OBU should be authenticated successfully before it can access the service. However, in V2V communication 
networks, as the number of LEs is finite, an LE is not always in the vicinity of the OBU. Even if the user is well 
meaning, the vehicle must still wait for the nearest LE and then perform the authentication procedure. Hence, 
there is an urgent need for an efficient authentication scheme. In this paper, we propose a TEAM to improve the 
performance of the authentication procedure in V2V communication networks. The TEAM is based on the 
concept of transitive trust relationships, as illustrated in Fig. 2. Initially, there are three vehicles in a VANET: a 
trustful LE and two other MVs carrying OBUs (i.e., OBUi and OBUj in Fig. 2). The state of the first mistrustful 
OBU (i.e., OBUi) becomes trustful and obtains the sufficient authorized parameter to authorize other mistrustful 
OBUs when it is authenticated successfully. Then, it plays the LE role temporarily to assist with the 
authentication procedure of OBU,- . 
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Fig. 1. Network architecture and the transitive trust relationships of VANETs. 
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Fig. 2. Transitive trust relationships in a TEAM. 



33 



Decentralized Trust Based Routing Scheme for Vehicular Ad Hoc Networks 



Thus, the other mistrustful OBUs can be authenticated by any trustful OBU without necessarily finding 
an LE, and all vehicles in a VANET can complete the authentication proce-dure quickly. Therefore, the key 
design issues of the authenti-cation procedure based on the transitive trust relationships are: 1) how to let the TV 
own the authentication ability; 2) how to reduce the computational cost; 3) how to prolong the trustful state of 
the TV; and 4) how to use as little storage cost as possible. 



B. Adversary Model 

The following possible attack models can be used during the V2V authentication procedure. 

1) Modification attack: The adversary modifies the packet resulting in the message against the integrity of 
the information. 

2) Message replay attack: The adversary resends valid messages sent previously in order to disturb the 
traffic flow. 

3) Movement tracking: Since wireless communication is based on a shared medium, an adversary can 
easily eavesdrop on any traffic. After intercepting a significant number of messages in a certain region, the 
adversary could trace the physical position and movement patterns of a vehicle by simply analyzing the 
information. 

4) Impersonation attack: The adversary pretends to be a valid LE/TV to cheat the unauthenticated OBUs. 
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Fig. 3. Operations of the mistrustful/trustful vehicle in a TEAM. 



C. Security Requirements 

Since the authentication scheme is susceptible to malicious attacks, our objective is to design a scheme 
that is robust to such attacks. Based on related studies [6] -[14], we define the following key security 
requirements for VANET s. 

1) Efficiency: In VANETs, the computational cost of ve -hides must be as low as possible in order to have 
a real-time response. 

2) Anonymity: The anonymous authentication procedure verifies that an OBU does not use its real identity 
to execute the authentication procedure. 

3) Location privacy: An adversary collects the serial au-thentication messages of the OBU but it still 
failed to track the location of the vehicle. 

4) Mutual authentication: A mutual authentication proce-dure is implemented whereby the LE must 
verify that the OBU is a legal user and the OBU must ensure that the LE is genuine. 

5) Integrity: The message integrity means that data cannot be modified undetectably. 

IV. TEAM 

In this section, we describe the proposed scheme in de-tail. A TEAM is a decentralized authentication 
scheme, and the LEs need not to keep the authentication information of the entire vehicles. The proposed 
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scheme involves eight procedures: initial registration, login, general authentication, password change, trust- 
extended authentication, key update, key revocation, and secure communication. Before a vehicle can join a 
VANET, its OBU must register with the AS. When a vehicle wants to access the service, it has to perform the 

login procedure. Next, the OBU checks the authentication state itself (i.e., the lifetime of the key). If 
the lifetime of the key is reduced to zero, the vehicle is mistrustful, and vice versa. The MV performs the 
general or trust-extended authentication procedure to be authenticated. The trustful vehicles assist other MVs in 
performing the authentication procedure or commu-nicate with other trustful vehicles (i.e., secure 
communication procedure) to access the Internet. The trustful vehicle performs the key update procedure with 
the LE when the key lifetime is below the predefined threshold. Moreover, we also consider the password 
change procedure for user friendly. Fig. 3 shows the operations of the mistrustful/trustful vehicle in TEAM. The 
state of the LE does not change because the LE is always trustful. 

A. Assumptions 

Many related works point out that the system of vehicle is better protected than the general mobile 
device (e.g., PDA, smartphone, etc.). Therefore, we assume that each vehicle's OBU is equipped with security 
hardware (e.g., trusted plat-form module), including an event data recorder (EDR), and a tamper -proof device 
(TPD) [15]— [17] so that an attacker cannot obtain information about the vehicle from the OBU. The EDR is 
responsible for recording important data about the vehicle, such as the location, time, preload secret key, and 
access log. The TPD provides the cryptographic processing capabilities. Finally, we assume that the time of 
every vehicle is synchronous via GPS device. 

B. Notations 

Before describing the proposed scheme, the notations used throughout this paper are listed in Table I. 
TABLE I 
Notations 



Symbol 


Description 


X 


A secret key protected by the AS 


ID, 


The public identification of entity i 


AID, 


The alias of entity i 


PW, 


The password of user i 


* K H 


A session key between entity i and entity j, where SK H =SK H 


MSGku 


A key update message 


X^Y 


User X sends a message to user Y through a secure channel 


X->Y 


User X sends a message to user Y through a common channel 


AO 


A collision-free one-way hash function 


N- 
I 


A nonce or random number i 


PSK 


A secure key set that is preshared among LEs and the AS 


e 


The XOR operator 




The combination of strings 



C. Periodic Hello Message 

In VANETs, the vehicles broadcast the hello message peri-odically with the authentication state (i.e., 
trust or mistrust). In order to ensure the network security, only the trustful vehicle can execute the secure 
communication procedure (i.e., Section IV-I). On the contrary, the MV must finish the authentication procedure 
(i.e., Sections IV-E and IV-F) in advance to com-municate with other vehicles. 

D. Initial Registration Procedure 

1) LE Registration: First, the LE performs the LE reg-istration procedure with the AS through the 
manufacturer or a secure channel. The AS computes the secure key set {PSK/, i = 1, . . . , n] based on the hash- 
chain method (e.g., h (x) = h(h(x))) and sends this key set to the LE. Note that the LE only needs to hold a 
secure key set that is stored in the security hardware and it does not need to store any authentication information 
of the user. Moreover, each PSK; has a short lifetime for robust security. Therefore, each trustful vehicle 
performs the key update procedure with the LE (i.e., Section IV-K) when the key lifetime is going to end. Fig. 4 
shows the key set generation scheme. We can see that the new PSK (e.g., PSK 2 ) cannot be inferred from the old 
PSK (e.g., PSKO since the key generation scheme has a one-way feature of the hash function. 

2) Normal Vehicle Registration: Other vehicles need to perform the normal vehicle registration procedure with 
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the AS through the manufacturer or a secure behavior when the vehicle left the car factory. This initial 
registration procedure is only performed once. Fig. 5 describes the steps of the normal vehicle registration 
procedure. 

Step 1) Useri — ► AS: A user sends the public identification IDi and his chosen password PW, to the AS via the 
manufacturer or a secure channel. 

Step 2) After receiving the user's ID and password, the AS computes the following secret 
authentication param-eters for the user: A,- = /i(ID,lbt), B t = /i 2 (ID,lbt) = h(Ai), C, = ft(PW*) ©#,-, and £>, = PSK 
A/. The objective of A t is to build the relation between the user's ID and AS. Moreover, the objective of C t is to 
build the relation among user's password, user's 
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Fig. 4. Key set generation scheme based on the hash-chain method. 
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Fig. 5. Normal vehicle registration procedure. 
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ID, and AS. Therefore, the user only keys in the correct personal information (i.e., ID, and PW,-) in the login 
procedure. Otherwise, the OBU,- rejects this login request. 

Step 3) AS— ► User^ The AS stores the parameters (i.e., ID,, B h Q, D h h( )) in the OBU's security hardware via 
the manufacturer or a secure channel. 

Note that the AS does not need to store the user's verifi-cation information (e.g., the user's password). 
Therefore, an adversary cannot obtain the information to launch a stolen -verified attack. 

In addition, the registered user cannot impersonate to an-other valid user successfully when the user obtains the 
above parameters. This is because the user does not know the AS's secret (i.e., x). 

E. Login Procedure 

The login procedure is the first checkpoint. The OBU will detect an error event immediately if the user 
has malicious intentions. Fig. 6 shows the steps of the login procedure. Step 1) Use^— >OBUi: When a user 
wants to access the service, he/she inputs ID, and PW t to the OBUi. 

Step 2) The OBUi checks the ID, and verifies whether /z(PW,) C, is equal to B h where B t and C, are obtained 
from the initial registration procedure. If the information is correct, the OBUi performs the general 
authentication procedure. Note that /z(PW,) C, has to be equal to B t . If the values are not equal, it means that 
the user inputs the wrong ID, or PW„ resulting in the login request will be rejected. 
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Fig. 7. General authentication procedure. 

F. General Authentication Procedure 

The OBU performs the general authentication procedure after the user completes the login procedure. 
Note that the OBU never uses the real identity of the user to perform the authentication procedure so nobody can 
obtain the user's real identity (i.e., ID,) via the intercepted message. Fig. 7 shows the steps of the procedure. 
Step 1) The OBUi generates a random number N\ and calculates the message M\ as /z(#,)®tyi. Then, it computes 
the alias AID, as h(Ni)(SD h and generates the message M 2 as h(Ni\\AK>i\\Di). 
Step 2) OBU/ —>LEj : The OBU; sends an authentication 

request (i.e., AID,, M b Af 2 , A) to the LE ] . 
Step 3) The LE 7 verifies that the OBU, is trustful: On re- 
ceipt of the authentication request, the LE 7 uses 

a secure preshared key (i.e., PSK) to obtain A,- 
(i.e., A PSK). The LE retrieves the value of 

i = A0 2 
Ni (i.e., Nx=Mi& (A,)) and then checks whether 

h(N\\ I AID/I I A) is equal to Af 2 . It rejects the au- 
thentication request if h(N\ 1 1 AID, 1 1 A) and M 2 do 
not match, which means the authentication message 

has been modified. Next, the LE 7 computes IDi as 
AIDi(£h(Ni), generates a random number N 2 , com- 
putes AID 7 as ID 7 ®V 2 , and calculates a session key 
SK, 7 as h(Ni\\N 2 ). Finally, the LEj computes the 
authentication reply message (i.e., AID 7 , M 3 , M 4 , 

M 5 ), where M 3 is N 2 %h 2 (N x ), M 4 is A f 0A(/D f ), and 
M 5 is h(M 4 \\N 2 \\AlDj). 
Step 4) LE 7 — >OBU,: The LE 7 returns the authentication 
reply message (i.e., AIDy , M 3 , M 4 , M 5 ) to the 
OBUi. 

Step 5) The OBU verifies that the LE is trustful: The OBU, 
computes the value of h (N\), retrieves the ran- 
dom number Af 2 (i.e., N 2 =M 3 Qh (N\)) 9 and checks 

whether h(M 4 \ \N 2 \ I AIDy ) is equal to M 5 . If the 
information is correct, the OBU, calculates the value of A, (i.e., A,=M 4 ®^(ID,)), computes the session key (i.e., 
SK,y =h(Ni\\N 2 )), and sto res A, in the security hardware. 

I Check fl> t 

Fig. 8. Password change procedure. 
Step 6) OBU,^LE 7 : The OBU, sends the message (i.e., SK, } ®h(N 2 )) to the LE 7 . 

Step 7) The LE uses the session key SK,y to retrieve the value (i.e., h(N 2 )). Then, it checks this value to prevent 
an invalid OBU from executing a replay attack. 

In this time, this OBU becomes trustful and obtains an authorized parameter (i.e., PSK = A, A) when 
it is authenticated successfully. Thus, the other mistrustful OBUs can be authenticated by it without necessarily 
finding an LE. 

G. Trust-Extended Authentication Procedure 

We adopt the trust-extended mechanism based on the con-cept of transitive trust relationships to 
improve the perfor-mance of the authentication procedure. The state of a mis-trustful OBU becomes trustful and 
then obtains an authorized parameter (i.e., PSK) when the OBU is authenticated success-fully. Then, the trustful 
OBU plays the role of LE temporarily to assist with the authentication procedure of a mistrustful OBU. In this 
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procedure, the trustful vehicle performs the authentication procedure and works as an LE. Note that it still does 
not need to store the authentication information of the user. Hence, our scheme only has a few storage spaces. 
Then, the steps of the general authentication and the trust-extended authentication procedures are the same. As a 
result, all vehicles in a VANET can complete the authentication procedure quickly. 
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Fig. 9. Secure communication procedure. 



//. Password Change Procedure 

Although the password change procedure is optional, we still discuss it for completeness. This 
procedure is invoked when a user wants to change his password. It can be completed without any assistance 
from the AS since the security hardware of the OBU stores the parameters B t and Q. Fig. 8 shows the password 
change procedure and the steps are described as follows. 

Step 1) The user keys in his ID, and PW ( . 

Step 2) The OBU checks the ID, and verifies that /z(PW,)®C,- is equal to B t . If the information is correct, the user 
can key in the new password PW* The OBU then 

computes C* = Q0/z(PW;)(B^(PW* ,) = #,-0/z(PW* ,) as the password and replaces C t with C* . 

/. Secure Communication Procedure 

Two trustful vehicles perform the secure communication procedure when they want to communicate 
with each other, as shown in Fig. 9. The steps are described as follows. 

Step 1) After the login procedure, the OBU, generates an alias AID, and the messages for the authentication 
request (i.e., M u Af 2 ), where N 3 is another random number, AID, is N 3 ®D„ M x is PSK0V 3 , and M 2 is PSK0 
/z(AID, 1 1 N 3 ). Note that PSK is obtained from the general/trust-extended authentication procedure. 
Step 2) OBU,— ►OBUy : The OBU, sends a secure communi-cation request (i.e., AID,, M 1? M 2 ) to the OBU,- . 
Step 3) The OBU,- verifies that the OBUi is trustful: on re-ceipt of the request, the OBU,- uses PSK to obtain N 3 
from Mi and then checks the value of /z(AID,IL/V 3 ). If the value is not correct, it means the message has been 
modified, and the OBU,- rejects the request. Next, the OBU,- generates a random number N 4 , com-putes its alias 
AID,- , and calculates a session key SK,y as h(N 3 \\N4\\PSK). Then, the OBU,- computes the reply message (i.e., 
M 3 , M 4 ), where M 3 is PSK ©Af 4 and M 4 is PSK ©/z(AID,ll^ 4 ll/z(7V 3 )). 

Step 4) OBU, — >OBU,: The OBU, returns the reply message (i.e., AID, , M 3 , Af 4 ) to the OBU,. 

Step 5) The OBU, verifies that the OBU 7 is trustful: the 

OBU, computes the value of h(N 3 ), uses PSK to 

retrieves the random number N4, and checks the 

value of h(AlDj I \N 4 \ \h(N 3 )). If the information is 

correct, the OBU, calculates the session key (i.e., 

SK, } = ^(A^IIA^IIPSK)) for this communication. 

Step 6) OBU,— ►OBU, : the OBU, sends the message (i.e., 

SK, } ®h(N 4 )) to the OBUj. 

Step 7) The OBU,- uses the session key SK,y to retrieve the 

value (i.e., h(N 4 )). It then checks this value to prevent an invalid OBU from executing a replay attack. Then, two 
trustful vehicles can use this session key to communicate securely. 

/. Key Revocation Procedure 

In our scheme, the mechanism of key revocation is based on timer which treats as the lifetime of the 
key. The authentication state of a mistrust vehicle becomes trustfully and obtains an authorized parameter (i.e., 
PSK) when the vehicle performs the authentication procedure successfully. Then, the authentication state in the 
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hello message is changed to trust and the secure hardware sets up a timer to count down. When the lifetime of 
the key is over, the state of the vehicle is changed to mistrust. Certainly, our scheme is easy to integrate with 
other key revocation schemes (e.g., token -based mechanism [20]). In fact, the system can ask the trustful vehicle 
to perform the key update procedure (i.e., Section IV-K) on the hour (or several hours) for reducing the 
compromised probability. 

K. Key Update Procedure 

The key update procedure is performed when the key lifetime of the TV will terminate. The TV 
extends its state of trustfulness after it finishes the key update procedure. Fig. 10 shows the key update 
procedure and the steps are depicted as follows. 

Step 1) The key update procedure is triggered when the key lifetime is below the predefined threshold (i.e., TH). 
The OBU, prepares to send a key update message to the LE. The OBU, generates a random number N 5 , 



cilttJ, | | LEj 

(i) {2) M X M 2 M) <3) 

1. Generate W 4 ' * LGet N^MSii^ 

2. M , = PSK M © N , 2. Check hi, N, \\ MS<i Ki ) = M y 

3. M 2 - PM M © hm Kl 3 . Generate /v ft 

4 . » h(N j || MSG u ) 4. M 4 = M h eh(K\) 

m. (4) A/ ( >/,,M ft 5 M, = PSK 

1 . Compute h{N, ) * 6 " M « = lj{ N * ® PSK * 

2. AT, = M i f&ii{N % ) = II M, I I'M**. I 



3. Gel PSK m 



4. Check hi N, || flSKL. ) » M, vr A ^ ^ 

5. Check rSK^mhirSK^ ) 2 * (7)UKCk 

6. JTC,«A(JV S || A/J| 

Fig. 10. Key update procedure. 



and then it computes the messages M\ as PSK old 0Af5, 
M 2 as PSK old ©VISG KU , and M 3 as h(M l \\M 2 ). 

Step 2) OBU,— >LE 7 : The OBU, sends a key update request 
(i.e., Mi, M 2 , Af 3 ) to the LE 7 . 

Step 3) The LE 7 uses the current PSK (i.e., PSK old ) to 

retrieve N 5 and MSG K u- It rejects the key update 
request if the value of h(M\ I \M 2 ) and M 3 do not 
match, which means the message has been modified. 

Next, the LE 7 generates a random number N 6 and 
computes the key update reply messages (i.e., M 4 , 
M 5 , M 6 ), where M 4 is N 6 @h(N 5 ), M 5 is PSK new 07V 6 , 
and M 6 is h(M 4 \ \M 5 ). Note that the key set of PSK is 
generated by the hash-chain method. Therefore, the 
OBU cannot use the current PSK to infer the new 

PSK. Finally, the LE 7 calculates the session key (i.e., 
SK, 7 )as /z(Af 5 IIAf 6 IIPSK new ). 

Step 4) LE 7 — ►OBU,-: The LE 7 returns the reply message (i.e., 
M 4 , M 5 , M 6 ) to the OBU,. 

Step 5) On receipt of the key update reply message, the OBU, 
computes the value of h(N 5 ), retrieves the random 
number N 6 (i.e., Af 6 =M 4 h(N 5 )), and obtains the new 
PSK. Next, the OBU, checks the value of h(M 4 l \M 5 ). 
Then, the OBU, checks whether /z(PSK new ) is equal 
to PSK old . If the value is equal, the OBU, updates 
the PSK and calculates the session key SK, 7 as 
/z(Af 5 IW 6 IIPSK new ). 

Step 6) OBU,— >LEj: The OBU, sends the message (i.e., 
SK ?/ ®h(N 6 )) to the LE 7 . 

Step 7) The LE 7 uses the session key SK, 7 to retrieve the 
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value (i.e., h(N 6 )). It then checks this value to prevent 
an invalid OBU from executing a replay attack. Then, 
two trustful vehicles can use this session key to 
communicate securely. 

V. ANALYSIS 

This section discusses the security analysis, computational cost, and storage cost of TEAM. The 
security properties of TEAM are based on a collision-free one-way hash function (e.g., SHA-512 [18]). For a 
one-way hash function h( ), when the value of x is given, it is straightforward to compute h(x); however, given 
the value of h(x), computing the value of x is very difficult or incurs a high computational cost. Besides, in the 
login procedure, the security hardware has a retry limit to prevent the attacker using a force technique to guess 
the user's password. A TEAM satisfies the following security requirements. 
A. Security Analysis 

Due to the page limit, we only discuss the security features of TEAM. Therefore, we use the same 
scheme [24]-[29] to present the security analysis. The detailed cryptanalysis of TEAM is listed in our future 
work. 

1) Anonymity: Under the proposed scheme, the original identity of every user is always converted into an 
alias that is based on a random number (e.g., AID, = h(N\) 0IDj). Therefore, an adversary cannot determine the 
user's original identity without knowing the random number A/i chosen by the OBU. Moreover, our anonymity 
mechanism is a dynamic identification process. 

2) No verification table: The AS, LEs, and TVs do not need to store the user's verification table. 
Therefore, even if an adversary can access their database, he cannot obtain the user's authentication information. 

3) Location privacy: Even if an adversary intercepts a number of messages during a certain period, he 
cannot trace the user's physical position because the system's anonymity mechanism uses a dynamic 
identification process, and generation of the session key is based on a nonce. Moreover, TEAM can utilize the 
random silent period scheme [7] or group characteristic [8] to enhance the location privacy when the OB Us do 
not have to access the service. Therefore, TEAM can improve the location privacy. 

4) Mutual authentication: A mutual authentication process is necessary. The LE needs to verify that the 
OBU is a legal user, and the OBU needs to ensure that the LE is genuine. In the general authentication 
procedure, the LE authenticates the OBU in Step 3, and the OBU authenticates the LE in Step 5, respectively. If 
the Attacker intercepts the messages and wants to forge a valid OBU/LE, it must generate a valid message to 
LE/OBU. However, the attacker cannot compute the valid message because he does not know the secure key 
(i.e., PSK;) and the random number (i.e., A^i and A^). In addition, the secure communication procedure also 
achieves the mutual authentication (i.e., in Step 3, the OBU 7 authenticates the OBU h and the OBU; authenticates 
the OBU 7 in Step 5). 

5) Clock synchronization is not required: In timestamp-based authentication schemes, the clocks of all 
vehicles must be synchronized. In TEAM, we provide a nonce -based authentication mechanism instead of 
timestamps, which cause serious time synchronization problems. 

6) Resistance to replay attacks: To protect the proposed scheme from replay attacks, we add a random 
number to the authentication message. If an adversary intercepted the message and tried to impersonate a valid 
OBU by replaying the message immediately, the LE would reject the request because the nonce in the replayed 
messages would be invalid. Moreover, the OBU also checks the random number sent by the LE to prevent 
replay attacks. 

7) Session key agreement: The proposed approach only makes one round trip between the OBU and the 
LE to generate the session key. Then, the key is used to encrypt subsequent packets to ensure that the 
communications are confidential. Since the session key is generated by a random number and a hash function, 
the adversary is hard to guess or to derive the session key from the intercepted messages. Moreover, the random 
numbers are different in each session so the session key is capable of resisting the replay attacks. 

8) Resistance to modification attacks: An adversary can attempt to modify the authentication and reply 
messages. However, we use a one-way hash function to ensure that information cannot be modified. Therefore, 
this attack will be detected because an attacker has no way to obtain the value of the random number to generate 
the legitimate message. If an attacker transmits a modified packet to the LE/vehicle, the packet can be easily 
identified by checking the hash values. Thus, our scheme ensures the message integrity. 

9) Resistance to forgery attacks: If an invalid OBU at-tempts to forge another valid OBU's ID (i.e., 
AID* the authentication will be unsuccessful (i.e., Step 3 in 
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Fig. 6). Although the attacker forges an alias ID (i.e., AID* t = h(Ni) (BID* ), it cannot determine the valid 

authentication parameter (i.e., D* ) required to obtain authentication. This is because the OBU does not 
know the AS's secret key (i.e., x), so it cannot compute the value of A t correctly. Moreover, the secret key is 
protected by the one-way hash function h( ), and it is computationally infeasible to derive x from the value h(x). 

10) Fast error detection: In the login or password change procedures, the OBU will detect an error 
immediately if an attacker keys in the wrong user ID or password, (i.e., Step 2 in the login procedure and Step 2 
in the password change procedure) 

11) Choose and change password easily. Users can choose or change their passwords without the AS's 
assistance and constrains, so that it is easy for them to memorize their passwords. 

12) Perfect forward secrecy. The perfect forward secrecy means that the secrecy of previous session keys 
es-tablished by trustful entities is not affected if the new session keys of one or more entities are compromised. 
Our scheme achieves the perfect forward secrecy. This is because the session key of our scheme is generated by 
a hash function and the random number. 

13) Resistance to man-in-the -middle attack: The password and the secret key of the system are used to 
prevent the man-in-middle attack. The attacker cannot pretend to be 

trustful vehicle or LE to authenticate other MVs since he does not own the password (i.e., PW ? ) or the secret key 
(i.e., x). 

14) Resistance to key lifetime self extension attack: In our scheme, a trustful vehicle cannot extend its 
authentica-tion key lifetime (i.e., PSK t ) when the key lifetime is over. This is because the generation of the 
authentication key is based on one-way hash chain function (i.e., Fig. 4). Therefore, the vehicle cannot compute 
a valid authentication key. 

B. Analysis of Computational Cost 

In the analysis of the computational cost, we use the following notations: "— " means there is no 
computational cost in that phase; n: the number of OBUs in the VANET; C h denotes the cost of executing the 
one-way hash function; C X or denotes the cost of executing the XOR operation; and 

denotes the cost of generating a random number. The computational cost of TEAM is shown in Table II. TEAM 
is efficient in terms of the computational cost because it is only based on an XOR operation and a hash function 
without using 
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Asymmetric cryptography. We use Crypto++ Library [19] to evaluate the computing process time of 
operation. Table III shows the computing process time of each operation. We can see that the computing process 
time of hash operation (i.e., SHA-1 and SHA-5 12) is faster than the asymmetric encryption (i.e., RSA-based 
operations). 

C. Analysis of Storage Cost 

In the asymmetric cryptography schemes, each vehicle needs to store the entire public key of users. 
However, this behavior in VANETs is costly and impractical. The complexity of storage cost of asymmetric 
cryptography is 0(n), where n is the total number of vehicles in VANETs. Thus, these asymmetric cryptography 
schemes are not scalable since the storage cost raises when the number of vehicles increases. On the contrary, 
the number of vehicles does not affect the storage cost of TEAM, and the complexity of storage cost of TEAM 
is 0(1). The normal vehicle only stores a few security parameters (i.e., lD h B h C h D b h( )) in security hardware 
of OBU for performing the authentication procedure, and the LE stores a key set. As a result, TEAM saves lots 
of storage cost and with high scalability compared with the asymmetric cryptography schemes. 

Fig. 11. Performance results of the trust-extended and nontrust-extended schemes with different parameters, (a) 
Varied transmission range: LE =10 and V = 20 m/s. (b) Varied number of LEs: R = 200 m and V = 20 m/s. 
(c) Varied vehicle speed: R = 200 m and LE =10. 

D. Trust-Extended Versus Nontrust Extended 

Here, we discuss the performance of authentication pro-cedure of the trust-extended and nontrust- 
extended schemes via NS-2 simulator [21]. The simulation environment is a grid topology over a 3000 m x 
3000 m area. We use a tool (mobility model generator for vehicular networks; MOVE) [22], [23] to rapidly 
generate realistic mobility models for VANET simulations. The LEs and normal vehicles are dis-tributed 
randomly in the network. Each simulation result is 

the average of ten runs. The parameters and values used in the simulations are listed in Table IV. 

Fig. 11 depicts the performance results of the trust-extended and nontrust-extended schemes with different 
parameters. The percentage of authenticated vehicle (i.e., the value of v-axis) is computed as the authenticated 
vehicles divide by the entire vehicles. As a result, the larger transmission range, the greater amount of LEs, and 
the faster vehicle speed are going to quickly increase the percentage of authenticated vehicle due to the MV has 
higher probability to meet the trustful vehicle. Moreover, we can see that the trust -extended scheme is better 
than the nontrust-extended scheme. This is because the trustful vehicle plays the LE role temporarily to assist 
with the authentication procedure of the MV. 

VI. CONCLUSION AND FUTURE WORK 

In this paper, we proposed a decentralized lightweight authentication scheme called TEAM to protect 
valid users in VANETs from malicious attacks. The amount of cryptographic calculation under TEAM was 
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substantially less than in exist-ing schemes because it only used an XOR operation and a hash function. 
Moreover, TEAM is based on the concept of transitive trust relationships to improve the performance of the 
authentication procedure. In addition, TEAM has a few storage spaces to store the authentication parameters. 
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